Effective May 8, 2026
Privacy Policy
This Privacy Policy describes how Daily Leveling ("we," "our," "us") collects, uses, shares, and protects information when you use our mobile application, website, and API (together, the "Service"). By using the Service, you agree to this Policy.
1. Information we collect
Information you provide
- Account data: email address, username, password (hashed with bcrypt — we never store it in plain text).
- Avatar photo: if you upload one, we send it to OpenAI's image edit API to generate an anime-style avatar; the original photo is processed in memory and is not retained.
- Quest & goal data: the tasks, goals, descriptions, deadlines, categories, and priorities you create.
- Progress data: XP, levels, streaks, and category progression.
- Support correspondence: messages you send us.
Information collected automatically
- Device info: platform (iOS/Android), OS version, app version.
- Usage data: when quests are created/completed, basic crash and error logs.
- IP address: for rate limiting, security, and abuse prevention only.
Information from third parties
If you use our API or sign up via an AI agent, we record the agent's reported name (e.g. "ChatGPT") for audit purposes. We do not receive personal data from those agents beyond what you explicitly send.
2. How we use your information
- Provide and operate the Service (account creation, quest tracking, level progression).
- Generate AI avatars (sent to OpenAI; subject to their terms — see Section 4).
- Send transactional emails (password reset, agent onboarding confirmation).
- Detect and prevent abuse (rate limiting, account abuse).
- Improve the Service through aggregated, non-identifying analytics.
- Comply with legal obligations.
We do not sell your personal information. We do not use your data for advertising. We do not train AI models on your data.
3. Legal basis (GDPR)
If you are in the European Economic Area, UK, or Switzerland, our legal bases for processing are:
- Contract: processing your data to deliver the Service you signed up for.
- Consent: when you upload a photo for AI avatar generation.
- Legitimate interests: rate limiting, abuse prevention, security.
- Legal obligation: when required by applicable law.
4. Sub-processors & third-party services
We use the following sub-processors. Each is bound by their own privacy practices:
| Service | Purpose | Region |
|---|---|---|
| Neon | PostgreSQL database hosting | US-East |
| Vercel | Application + API hosting | US-East / global edge |
| Vercel Blob | Avatar image storage | US |
| OpenAI | AI avatar generation (gpt-image-1) | US |
| Resend | Transactional email delivery | US |
5. How we share information
We share information only when:
- You direct us to: e.g., when you mint an API key for an AI agent, that agent receives data per your instructions.
- Service providers: the sub-processors listed above, under data-processing terms.
- Legal: when required by law, court order, or to protect rights and safety.
- Business transfer: if we are acquired or merged, your data may transfer; we will notify you.
6. Your rights
All users
- Access: request a copy of your data.
- Delete: delete your account anytime via the app (Profile → Account → Delete Account) or at /delete-account.
- Correct: update inaccurate data via the app.
- Export: request a portable copy of your data.
EEA / UK / Swiss users (GDPR)
You have the additional rights to restrict or object to processing, withdraw consent, and lodge a complaint with your local supervisory authority. Contact privacy@dailyleveling.app.
California residents (CCPA / CPRA)
You have the right to know what categories of personal information we collect, to delete it, to correct it, and to opt out of "sale" or "sharing" — we do not sell or share your personal information for cross-context behavioral advertising. To exercise these rights, contact privacy@dailyleveling.app.
7. Data retention
- Account data: retained while your account is active.
- Deletion: when you delete your account, we delete all personal data within 30 days, except where retention is required by law (e.g., financial records).
- Onboarding tokens: 15-minute TTL; auto-purged.
- Backups: deleted data may persist in encrypted backups for up to 35 days.
8. Security
We use industry-standard safeguards: TLS in transit, encrypted at rest, bcrypt password hashing, SHA-256 hashed API keys, rate limiting, and least-privilege access. No system is 100% secure — report concerns to security@dailyleveling.app (see Security Policy).
9. Children's privacy
The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect data from children. If you believe a child has provided data, contact privacy@dailyleveling.app and we will delete it.
10. International transfers
Our infrastructure is primarily US-based. If you are outside the US, your data is transferred to and processed in the US under appropriate safeguards (Standard Contractual Clauses where applicable).
11. Apple-specific disclosures
Per Apple's App Privacy framework, we collect the following data types: Contact Info (email), User Content (photos for avatars, task/goal text), and Identifiers (user ID). All data is linked to your identity. We do not use any data for tracking across apps or websites owned by other companies.
12. Google Play Data Safety
Per Google's Data Safety section, we collect: Email, Photos, App activity, and Device IDs. Data is encrypted in transit. You can request deletion. We do not share data with third parties for advertising or analytics.
13. Changes to this Policy
We may update this Policy. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The "Effective" date at the top reflects the latest revision.
14. Contact
Privacy questions: privacy@dailyleveling.app
General support: support@dailyleveling.app